Update Rust to 1.84.1 (#5508 )

- also update the crates - add necessary modifications for `rand` upgrade - `small_rng` is enabled by default now
Allow all manager to create collections again (#5488 )
2025-02-01 13:16:32 +01:00 · 2025-01-29 20:41:31 +01:00 · 2025-01-29 12:00:14 +01:00 · 2025-01-28 11:25:53 +01:00 · 2025-01-27 20:16:59 +01:00 · 2025-01-27 18:29:24 +01:00
26 changed files with 714 additions and 347 deletions
@@ -120,37 +120,37 @@ jobs:
      # First test all features together, afterwards test them separately.
      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
        id: test_sqlite_mysql_postgresql_mimalloc_logger
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger

      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
        id: test_sqlite_mysql_postgresql_mimalloc
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql,enable_mimalloc

      - name: "test features: sqlite,mysql,postgresql"
        id: test_sqlite_mysql_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite,mysql,postgresql

      - name: "test features: sqlite"
        id: test_sqlite
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features sqlite

      - name: "test features: mysql"
        id: test_mysql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features mysql

      - name: "test features: postgresql"
        id: test_postgresql
-        if: $${{ always() }}
+        if: ${{ !cancelled() }}
        run: |
          cargo test --features postgresql
      # End Run cargo tests
@@ -159,7 +159,7 @@ jobs:
      # Run cargo clippy, and fail on warnings
      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
        id: clippy
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
        run: |
          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
      # End Run cargo clippy
@@ -168,7 +168,7 @@ jobs:
      # Run cargo fmt (Only run on rust-toolchain defined version)
      - name: "check formatting"
        id: formatting
-        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
        run: |
          cargo fmt --all -- --check
      # End Run cargo fmt
@@ -44,7 +44,7 @@ syslog = "7.0.0"
 macros = { path = "./macros" }

 # Logging
-log = "0.4.22"
+log = "0.4.25"
 fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] }
 tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work

@@ -71,14 +71,14 @@ dashmap = "6.1.0"

 # Async futures
 futures = "0.3.31"
-tokio = { version = "1.42.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
+tokio = { version = "1.43.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }

 # A generic serialization/deserialization framework
 serde = { version = "1.0.217", features = ["derive"] }
-serde_json = "1.0.135"
+serde_json = "1.0.138"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.6", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.7", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
 diesel_logger = { version = "0.4.0", optional = true }

@@ -86,25 +86,25 @@ derive_more = { version = "1.0.0", features = ["from", "into", "as_ref", "deref"
 diesel-derive-newtype = "2.1.2"

 # Bundled/Static SQLite
-libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.31.0", features = ["bundled"], optional = true }

 # Crypto-related libraries
-rand = { version = "0.8.5", features = ["small_rng"] }
+rand = "0.9.0"
 ring = "0.17.8"

 # UUID generation
-uuid = { version = "1.11.0", features = ["v4"] }
+uuid = { version = "1.12.1", features = ["v4"] }

 # Date and time libraries
 chrono = { version = "0.4.39", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.10.0"
+chrono-tz = "0.10.1"
 time = "0.3.37"

 # Job scheduler
 job_scheduler_ng = "2.0.5"

 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.6.0"
+data-encoding = "2.7.0"

 # JWT library
 jsonwebtoken = "9.3.0"
@@ -147,7 +147,7 @@ cookie = "0.18.1"
 cookie_store = "0.21.1"

 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.68"
+openssl = "0.10.69"

 # CLI argument parsing
 pico-args = "0.5.0"
@@ -157,7 +157,7 @@ paste = "1.0.15"
 governor = "0.8.0"

 # Check client versions for specific features.
-semver = "1.0.24"
+semver = "1.0.25"

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
@@ -5,7 +5,7 @@ vault_image_digest: "sha256:cb6b2095a4afc1d9d243a33f6d09211f40e3d82c7ae829fd025d
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894"
-rust_version: 1.84.0 # Rust version to be used
+rust_version: 1.84.1 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: "3.21" # Alpine version to be used
 # For which platforms/architectures will we try to build images
@@ -32,10 +32,10 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:cb6b2095a4afc
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.84.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.84.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.84.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.84.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.84.1 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.84.1 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.84.1 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.84.1 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bd

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.84.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.84.1-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -10,4 +10,4 @@ proc-macro = true

 [dependencies]
 quote = "1.0.38"
-syn = "2.0.94"
+syn = "2.0.96"
@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.84.0"
+channel = "1.84.1"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
@@ -171,7 +171,7 @@ struct LoginForm {
    redirect: Option<String>,
 }

-#[post("/", data = "<data>")]
+#[post("/", format = "application/x-www-form-urlencoded", data = "<data>")]
 fn post_admin_login(
    data: Form<LoginForm>,
    cookies: &CookieJar<'_>,
@@ -289,7 +289,7 @@ async fn get_user_or_404(user_id: &UserId, conn: &mut DbConn) -> ApiResult<User>
    }
 }

-#[post("/invite", data = "<data>")]
+#[post("/invite", format = "application/json", data = "<data>")]
 async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbConn) -> JsonResult {
    let data: InviteData = data.into_inner();
    if User::find_by_mail(&data.email, &mut conn).await.is_some() {
@@ -315,7 +315,7 @@ async fn invite_user(data: Json<InviteData>, _token: AdminToken, mut conn: DbCon
    Ok(Json(user.to_json(&mut conn).await))
 }

-#[post("/test/smtp", data = "<data>")]
+#[post("/test/smtp", format = "application/json", data = "<data>")]
 async fn test_smtp(data: Json<InviteData>, _token: AdminToken) -> EmptyResult {
    let data: InviteData = data.into_inner();

@@ -393,7 +393,7 @@ async fn get_user_json(user_id: UserId, _token: AdminToken, mut conn: DbConn) ->
    Ok(Json(usr))
 }

-#[post("/users/<user_id>/delete")]
+#[post("/users/<user_id>/delete", format = "application/json")]
 async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let user = get_user_or_404(&user_id, &mut conn).await?;

@@ -403,7 +403,7 @@ async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Em

    for membership in memberships {
        log_event(
-            EventType::OrganizationUserRemoved as i32,
+            EventType::OrganizationUserDeleted as i32,
            &membership.uuid,
            &membership.org_uuid,
            &ACTING_ADMIN_USER.into(),
@@ -417,7 +417,7 @@ async fn delete_user(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Em
    res
 }

-#[post("/users/<user_id>/deauth")]
+#[post("/users/<user_id>/deauth", format = "application/json")]
 async fn deauth_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;

@@ -438,7 +438,7 @@ async fn deauth_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt:
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/disable")]
+#[post("/users/<user_id>/disable", format = "application/json")]
 async fn disable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    Device::delete_all_by_user(&user.uuid, &mut conn).await?;
@@ -452,7 +452,7 @@ async fn disable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn, nt:
    save_result
 }

-#[post("/users/<user_id>/enable")]
+#[post("/users/<user_id>/enable", format = "application/json")]
 async fn enable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    user.enabled = true;
@@ -460,7 +460,7 @@ async fn enable_user(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> E
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/remove-2fa")]
+#[post("/users/<user_id>/remove-2fa", format = "application/json")]
 async fn remove_2fa(user_id: UserId, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let mut user = get_user_or_404(&user_id, &mut conn).await?;
    TwoFactor::delete_all_by_user(&user.uuid, &mut conn).await?;
@@ -469,7 +469,7 @@ async fn remove_2fa(user_id: UserId, token: AdminToken, mut conn: DbConn) -> Emp
    user.save(&mut conn).await
 }

-#[post("/users/<user_id>/invite/resend")]
+#[post("/users/<user_id>/invite/resend", format = "application/json")]
 async fn resend_user_invite(user_id: UserId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    if let Some(user) = User::find_by_uuid(&user_id, &mut conn).await {
        //TODO: replace this with user.status check when it will be available (PR#3397)
@@ -496,7 +496,7 @@ struct MembershipTypeData {
    org_uuid: OrganizationId,
 }

-#[post("/users/org_type", data = "<data>")]
+#[post("/users/org_type", format = "application/json", data = "<data>")]
 async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let data: MembershipTypeData = data.into_inner();

@@ -550,7 +550,7 @@ async fn update_membership_type(data: Json<MembershipTypeData>, token: AdminToke
    member_to_edit.save(&mut conn).await
 }

-#[post("/users/update_revision")]
+#[post("/users/update_revision", format = "application/json")]
 async fn update_revision_users(_token: AdminToken, mut conn: DbConn) -> EmptyResult {
    User::update_all_revisions(&mut conn).await
 }
@@ -575,7 +575,7 @@ async fn organizations_overview(_token: AdminToken, mut conn: DbConn) -> ApiResu
    Ok(Html(text))
 }

-#[post("/organizations/<org_id>/delete")]
+#[post("/organizations/<org_id>/delete", format = "application/json")]
 async fn delete_organization(org_id: OrganizationId, _token: AdminToken, mut conn: DbConn) -> EmptyResult {
    let org = Organization::find_by_uuid(&org_id, &mut conn).await.map_res("Organization doesn't exist")?;
    org.delete(&mut conn).await
@@ -733,7 +733,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
    Ok(Html(text))
 }

-#[get("/diagnostics/config")]
+#[get("/diagnostics/config", format = "application/json")]
 fn get_diagnostics_config(_token: AdminToken) -> Json<Value> {
    let support_json = CONFIG.get_support_json();
    Json(support_json)
@@ -744,16 +744,16 @@ fn get_diagnostics_http(code: u16, _token: AdminToken) -> EmptyResult {
    err_code!(format!("Testing error {code} response"), code);
 }

-#[post("/config", data = "<data>")]
+#[post("/config", format = "application/json", data = "<data>")]
 fn post_config(data: Json<ConfigBuilder>, _token: AdminToken) -> EmptyResult {
    let data: ConfigBuilder = data.into_inner();
-    if let Err(e) = CONFIG.update_config(data) {
+    if let Err(e) = CONFIG.update_config(data, true) {
        err!(format!("Unable to save config: {e:?}"))
    }
    Ok(())
 }

-#[post("/config/delete")]
+#[post("/config/delete", format = "application/json")]
 fn delete_config(_token: AdminToken) -> EmptyResult {
    if let Err(e) = CONFIG.delete_user_config() {
        err!(format!("Unable to delete config: {e:?}"))
@@ -761,7 +761,7 @@ fn delete_config(_token: AdminToken) -> EmptyResult {
    Ok(())
 }

-#[post("/config/backup_db")]
+#[post("/config/backup_db", format = "application/json")]
 async fn backup_db(_token: AdminToken, mut conn: DbConn) -> ApiResult<String> {
    if *CAN_BACKUP {
        match backup_database(&mut conn).await {
@@ -925,9 +925,9 @@ async fn password_hint(data: Json<PasswordHintData>, mut conn: DbConn) -> EmptyR
                // paths that send mail take noticeably longer than ones that
                // don't. Add a randomized sleep to mitigate this somewhat.
                use rand::{rngs::SmallRng, Rng, SeedableRng};
-                let mut rng = SmallRng::from_entropy();
+                let mut rng = SmallRng::from_os_rng();
                let delta: i32 = 100;
-                let sleep_ms = (1_000 + rng.gen_range(-delta..=delta)) as u64;
+                let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64;
                tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await;
                Ok(())
            } else {
@@ -1206,6 +1206,15 @@ async fn post_auth_request(

    nt.send_auth_request(&user.uuid, &auth_request.uuid, &data.device_identifier, &mut conn).await;

+    log_user_event(
+        EventType::UserRequestedDeviceApproval as i32,
+        &user.uuid,
+        client_headers.device_type,
+        &client_headers.ip.ip,
+        &mut conn,
+    )
+    .await;
+
    Ok(Json(json!({
        "id": auth_request.uuid,
        "publicKey": auth_request.public_key,
@@ -1287,9 +1296,26 @@ async fn put_auth_request(

        ant.send_auth_response(&auth_request.user_uuid, &auth_request.uuid).await;
        nt.send_auth_response(&auth_request.user_uuid, &auth_request.uuid, &data.device_identifier, &mut conn).await;
+
+        log_user_event(
+            EventType::OrganizationUserApprovedAuthRequest as i32,
+            &headers.user.uuid,
+            headers.device.atype,
+            &headers.ip.ip,
+            &mut conn,
+        )
+        .await;
    } else {
        // If denied, there's no reason to keep the request
        auth_request.delete(&mut conn).await?;
+        log_user_event(
+            EventType::OrganizationUserRejectedAuthRequest as i32,
+            &headers.user.uuid,
+            headers.device.atype,
+            &headers.ip.ip,
+            &mut conn,
+        )
+        .await;
    }

    Ok(Json(json!({
@@ -34,9 +34,13 @@ struct EventRange {
 async fn get_org_events(
    org_id: OrganizationId,
    data: EventRange,
-    _headers: AdminHeaders,
+    headers: AdminHeaders,
    mut conn: DbConn,
 ) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
+
    // Return an empty vec when we org events are disabled.
    // This prevents client errors
    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -100,9 +104,12 @@ async fn get_user_events(
    org_id: OrganizationId,
    member_id: MembershipId,
    data: EventRange,
-    _headers: AdminHeaders,
+    headers: AdminHeaders,
    mut conn: DbConn,
 ) -> JsonResult {
+    if org_id != headers.org_id {
+        err!("Organization not found", "Organization id's do not match");
+    }
    // Return an empty vec when we org events are disabled.
    // This prevents client errors
    let events_json: Vec<Value> = if !CONFIG.org_events_enabled() {
@@ -238,8 +245,8 @@ async fn _log_user_event(
    ip: &IpAddr,
    conn: &mut DbConn,
 ) {
-    let orgs = Membership::get_orgs_by_user(user_id, conn).await;
-    let mut events: Vec<Event> = Vec::with_capacity(orgs.len() + 1); // We need an event per org and one without an org
+    let memberships = Membership::find_by_user(user_id, conn).await;
+    let mut events: Vec<Event> = Vec::with_capacity(memberships.len() + 1); // We need an event per org and one without an org

    // Upstream saves the event also without any org_id.
    let mut event = Event::new(event_type, event_date);
@@ -250,10 +257,11 @@ async fn _log_user_event(
    events.push(event);

    // For each org a user is a member of store these events per org
-    for org_id in orgs {
+    for membership in memberships {
        let mut event = Event::new(event_type, event_date);
        event.user_uuid = Some(user_id.clone());
-        event.org_uuid = Some(org_id);
+        event.org_uuid = Some(membership.org_uuid);
+        event.org_user_uuid = Some(membership.uuid);
        event.act_user_uuid = Some(user_id.clone());
        event.device_type = Some(device_type);
        event.ip_address = Some(ip.to_string());
@@ -210,8 +210,8 @@ fn config() -> Json<Value> {
        // This means they expect a version that closely matches the Bitwarden server version
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
-        // - Individual cipher key encryption: 2023.9.1
-        "version": "2024.2.0",
+        // - Individual cipher key encryption: 2024.2.0
+        "version": "2025.1.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
@@ -26,8 +26,8 @@ pub fn routes() -> Vec<Route> {
 #[derive(Serialize, Deserialize)]
 struct DuoData {
    host: String, // Duo API hostname
-    ik: String,   // integration key
-    sk: String,   // secret key
+    ik: String,   // client id
+    sk: String,   // client secret
 }

 impl DuoData {
@@ -111,8 +111,8 @@ async fn get_duo(data: Json<PasswordOrOtpData>, headers: Headers, mut conn: DbCo
        json!({
            "enabled": enabled,
            "host": data.host,
-            "secretKey": data.sk,
-            "integrationKey": data.ik,
+            "clientSecret": data.sk,
+            "clientId": data.ik,
            "object": "twoFactorDuo"
        })
    } else {
@@ -129,8 +129,8 @@ async fn get_duo(data: Json<PasswordOrOtpData>, headers: Headers, mut conn: DbCo
 #[serde(rename_all = "camelCase")]
 struct EnableDuoData {
    host: String,
-    secret_key: String,
-    integration_key: String,
+    client_secret: String,
+    client_id: String,
    master_password_hash: Option<String>,
    otp: Option<String>,
 }
@@ -139,8 +139,8 @@ impl From<EnableDuoData> for DuoData {
    fn from(d: EnableDuoData) -> Self {
        Self {
            host: d.host,
-            ik: d.integration_key,
-            sk: d.secret_key,
+            ik: d.client_id,
+            sk: d.client_secret,
        }
    }
 }
@@ -151,7 +151,7 @@ fn check_duo_fields_custom(data: &EnableDuoData) -> bool {
        st.is_empty() || s == DISABLED_MESSAGE_DEFAULT
    }

-    !empty_or_default(&data.host) && !empty_or_default(&data.secret_key) && !empty_or_default(&data.integration_key)
+    !empty_or_default(&data.host) && !empty_or_default(&data.client_secret) && !empty_or_default(&data.client_id)
 }

 #[post("/two-factor/duo", data = "<data>")]
@@ -186,8 +186,8 @@ async fn activate_duo(data: Json<EnableDuoData>, headers: Headers, mut conn: DbC
    Ok(Json(json!({
        "enabled": true,
        "host": data.host,
-        "secretKey": data.sk,
-        "integrationKey": data.ik,
+        "clientSecret": data.sk,
+        "clientId": data.ik,
        "object": "twoFactorDuo"
    })))
 }
@@ -542,10 +542,29 @@ pub struct OrgHeaders {
    pub device: Device,
    pub user: User,
    pub membership_type: MembershipType,
+    pub membership_status: MembershipStatus,
    pub membership: Membership,
    pub ip: ClientIp,
 }

+impl OrgHeaders {
+    fn is_member(&self) -> bool {
+        // NOTE: we don't care about MembershipStatus at the moment because this is only used
+        // where an invited, accepted or confirmed user is expected if this ever changes or
+        // if from_i32 is changed to return Some(Revoked) this check needs to be changed accordingly
+        self.membership_type >= MembershipType::User
+    }
+    fn is_confirmed_and_admin(&self) -> bool {
+        self.membership_status == MembershipStatus::Confirmed && self.membership_type >= MembershipType::Admin
+    }
+    fn is_confirmed_and_manager(&self) -> bool {
+        self.membership_status == MembershipStatus::Confirmed && self.membership_type >= MembershipType::Manager
+    }
+    fn is_confirmed_and_owner(&self) -> bool {
+        self.membership_status == MembershipStatus::Confirmed && self.membership_type == MembershipType::Owner
+    }
+}
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for OrgHeaders {
    type Error = &'static str;
@@ -557,39 +576,25 @@ impl<'r> FromRequest<'r> for OrgHeaders {
        // but there are cases where it is a query value.
        // First check the path, if this is not a valid uuid, try the query values.
        let url_org_id: Option<OrganizationId> = {
-            let mut url_org_id = None;
-            if let Some(Ok(org_id)) = request.param::<&str>(1) {
-                if uuid::Uuid::parse_str(org_id).is_ok() {
-                    url_org_id = Some(org_id.to_string().into());
-                }
+            if let Some(Ok(org_id)) = request.param::<OrganizationId>(1) {
+                Some(org_id.clone())
+            } else if let Some(Ok(org_id)) = request.query_value::<OrganizationId>("organizationId") {
+                Some(org_id.clone())
+            } else {
+                None
            }
-
-            if let Some(Ok(org_id)) = request.query_value::<&str>("organizationId") {
-                if uuid::Uuid::parse_str(org_id).is_ok() {
-                    url_org_id = Some(org_id.to_string().into());
-                }
-            }
-
-            url_org_id
        };

        match url_org_id {
-            Some(org_id) => {
+            Some(org_id) if uuid::Uuid::parse_str(&org_id).is_ok() => {
                let mut conn = match DbConn::from_request(request).await {
                    Outcome::Success(conn) => conn,
                    _ => err_handler!("Error getting DB"),
                };

                let user = headers.user;
-                let membership = match Membership::find_by_user_and_org(&user.uuid, &org_id, &mut conn).await {
-                    Some(member) => {
-                        if member.status == MembershipStatus::Confirmed as i32 {
-                            member
-                        } else {
-                            err_handler!("The current user isn't confirmed member of the organization")
-                        }
-                    }
-                    None => err_handler!("The current user isn't member of the organization"),
+                let Some(membership) = Membership::find_by_user_and_org(&user.uuid, &org_id, &mut conn).await else {
+                    err_handler!("The current user isn't member of the organization");
                };

                Outcome::Success(Self {
@@ -597,13 +602,22 @@ impl<'r> FromRequest<'r> for OrgHeaders {
                    device: headers.device,
                    user,
                    membership_type: {
-                        if let Some(org_usr_type) = MembershipType::from_i32(membership.atype) {
-                            org_usr_type
+                        if let Some(member_type) = MembershipType::from_i32(membership.atype) {
+                            member_type
                        } else {
                            // This should only happen if the DB is corrupted
                            err_handler!("Unknown user type in the database")
                        }
                    },
+                    membership_status: {
+                        if let Some(member_status) = MembershipStatus::from_i32(membership.status) {
+                            // NOTE: add additional check for revoked if from_i32 is ever changed
+                            // to return Revoked status.
+                            member_status
+                        } else {
+                            err_handler!("User status is either revoked or invalid.")
+                        }
+                    },
                    membership,
                    ip: headers.ip,
                })
@@ -619,6 +633,7 @@ pub struct AdminHeaders {
    pub user: User,
    pub membership_type: MembershipType,
    pub ip: ClientIp,
+    pub org_id: OrganizationId,
 }

 #[rocket::async_trait]
@@ -627,13 +642,14 @@ impl<'r> FromRequest<'r> for AdminHeaders {

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
-        if headers.membership_type >= MembershipType::Admin {
+        if headers.is_confirmed_and_admin() {
            Outcome::Success(Self {
                host: headers.host,
                device: headers.device,
                user: headers.user,
                membership_type: headers.membership_type,
                ip: headers.ip,
+                org_id: headers.membership.org_uuid,
            })
        } else {
            err_handler!("You need to be Admin or Owner to call this endpoint")
@@ -679,6 +695,7 @@ pub struct ManagerHeaders {
    pub device: Device,
    pub user: User,
    pub ip: ClientIp,
+    pub org_id: OrganizationId,
 }

 #[rocket::async_trait]
@@ -687,7 +704,7 @@ impl<'r> FromRequest<'r> for ManagerHeaders {

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
-        if headers.membership_type >= MembershipType::Manager {
+        if headers.is_confirmed_and_manager() {
            match get_col_id(request) {
                Some(col_id) => {
                    let mut conn = match DbConn::from_request(request).await {
@@ -707,6 +724,7 @@ impl<'r> FromRequest<'r> for ManagerHeaders {
                device: headers.device,
                user: headers.user,
                ip: headers.ip,
+                org_id: headers.membership.org_uuid,
            })
        } else {
            err_handler!("You need to be a Manager, Admin or Owner to call this endpoint")
@@ -741,7 +759,7 @@ impl<'r> FromRequest<'r> for ManagerHeadersLoose {

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
-        if headers.membership_type >= MembershipType::Manager {
+        if headers.is_confirmed_and_manager() {
            Outcome::Success(Self {
                host: headers.host,
                device: headers.device,
@@ -786,6 +804,7 @@ impl ManagerHeaders {
            device: h.device,
            user: h.user,
            ip: h.ip,
+            org_id: h.membership.org_uuid,
        })
    }
 }
@@ -794,6 +813,7 @@ pub struct OwnerHeaders {
    pub device: Device,
    pub user: User,
    pub ip: ClientIp,
+    pub org_id: OrganizationId,
 }

 #[rocket::async_trait]
@@ -802,11 +822,12 @@ impl<'r> FromRequest<'r> for OwnerHeaders {

    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
        let headers = try_outcome!(OrgHeaders::from_request(request).await);
-        if headers.membership_type == MembershipType::Owner {
+        if headers.is_confirmed_and_owner() {
            Outcome::Success(Self {
                device: headers.device,
                user: headers.user,
                ip: headers.ip,
+                org_id: headers.membership.org_uuid,
            })
        } else {
            err_handler!("You need to be Owner to call this endpoint")
@@ -814,6 +835,30 @@ impl<'r> FromRequest<'r> for OwnerHeaders {
    }
 }

+pub struct OrgMemberHeaders {
+    pub host: String,
+    pub user: User,
+    pub org_id: OrganizationId,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for OrgMemberHeaders {
+    type Error = &'static str;
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        let headers = try_outcome!(OrgHeaders::from_request(request).await);
+        if headers.is_member() {
+            Outcome::Success(Self {
+                host: headers.host,
+                user: headers.user,
+                org_id: headers.membership.org_uuid,
+            })
+        } else {
+            err_handler!("You need to be a Member of the Organization to call this endpoint")
+        }
+    }
+}
+
 //
 // Client IP address detection
 //
@@ -1,8 +1,10 @@
-use std::env::consts::EXE_SUFFIX;
-use std::process::exit;
-use std::sync::{
-    atomic::{AtomicBool, Ordering},
-    RwLock,
+use std::{
+    env::consts::EXE_SUFFIX,
+    process::exit,
+    sync::{
+        atomic::{AtomicBool, Ordering},
+        RwLock,
+    },
 };

 use job_scheduler_ng::Schedule;
@@ -12,7 +14,7 @@ use reqwest::Url;
 use crate::{
    db::DbConnType,
    error::Error,
-    util::{get_env, get_env_bool, get_web_vault_version, parse_experimental_client_feature_flags},
+    util::{get_env, get_env_bool, get_web_vault_version, is_valid_email, parse_experimental_client_feature_flags},
 };

 static CONFIG_FILE: Lazy<String> = Lazy::new(|| {
@@ -114,6 +116,14 @@ macro_rules! make_config {
                serde_json::from_str(&config_str).map_err(Into::into)
            }

+            fn clear_non_editable(&mut self) {
+                $($(
+                    if !$editable {
+                        self.$name = None;
+                    }
+                )+)+
+            }
+
            /// Merges the values of both builders into a new builder.
            /// If both have the same element, `other` wins.
            fn merge(&self, other: &Self, show_overrides: bool, overrides: &mut Vec<String>) -> Self {
@@ -660,9 +670,9 @@ make_config! {
        _enable_duo:            bool,   true,   def,     true;
        /// Attempt to use deprecated iframe-based Traditional Prompt (Duo WebSDK 2)
        duo_use_iframe:         bool,   false,  def,     false;
-        /// Integration Key
+        /// Client Id
        duo_ikey:               String, true,   option;
-        /// Secret Key
+        /// Client Secret
        duo_skey:               Pass,   true,   option;
        /// Host
        duo_host:               String, true,   option;
@@ -677,7 +687,7 @@ make_config! {
        /// Use Sendmail |> Whether to send mail via the `sendmail` command
        use_sendmail:                  bool,   true,   def,     false;
        /// Sendmail Command |> Which sendmail command to use. The one found in the $PATH is used if not specified.
-        sendmail_command:              String, true,   option;
+        sendmail_command:              String, false,  option;
        /// Host
        smtp_host:                     String, true,   option;
        /// DEPRECATED smtp_ssl |> DEPRECATED - Please use SMTP_SECURITY
@@ -893,12 +903,12 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
            let command = cfg.sendmail_command.clone().unwrap_or_else(|| format!("sendmail{EXE_SUFFIX}"));

            let mut path = std::path::PathBuf::from(&command);
-
+            // Check if we can find the sendmail command to execute when no absolute path is given
            if !path.is_absolute() {
-                match which::which(&command) {
-                    Ok(result) => path = result,
-                    Err(_) => err!(format!("sendmail command {command:?} not found in $PATH")),
-                }
+                let Ok(which_path) = which::which(&command) else {
+                    err!(format!("sendmail command {command} not found in $PATH"))
+                };
+                path = which_path;
            }

            match path.metadata() {
@@ -932,8 +942,8 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
            }
        }

-        if (cfg.smtp_host.is_some() || cfg.use_sendmail) && !cfg.smtp_from.contains('@') {
-            err!("SMTP_FROM does not contain a mandatory @ sign")
+        if (cfg.smtp_host.is_some() || cfg.use_sendmail) && !is_valid_email(&cfg.smtp_from) {
+            err!(format!("SMTP_FROM '{}' is not a valid email address", cfg.smtp_from))
        }

        if cfg._enable_email_2fa && cfg.email_token_size < 6 {
@@ -1146,12 +1156,17 @@ impl Config {
        })
    }

-    pub fn update_config(&self, other: ConfigBuilder) -> Result<(), Error> {
+    pub fn update_config(&self, other: ConfigBuilder, ignore_non_editable: bool) -> Result<(), Error> {
        // Remove default values
        //let builder = other.remove(&self.inner.read().unwrap()._env);

        // TODO: Remove values that are defaults, above only checks those set by env and not the defaults
-        let builder = other;
+        let mut builder = other;
+
+        // Remove values that are not editable
+        if ignore_non_editable {
+            builder.clear_non_editable();
+        }

        // Serialize now before we consume the builder
        let config_str = serde_json::to_string_pretty(&builder)?;
@@ -1186,7 +1201,7 @@ impl Config {
            let mut _overrides = Vec::new();
            usr.merge(&other, false, &mut _overrides)
        };
-        self.update_config(builder)
+        self.update_config(builder, false)
    }

    /// Tests whether an email's domain is allowed. A domain is allowed if it
@@ -56,11 +56,11 @@ pub fn encode_random_bytes<const N: usize>(e: Encoding) -> String {
 pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String {
    // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html
    use rand::Rng;
-    let mut rng = rand::thread_rng();
+    let mut rng = rand::rng();

    (0..num_chars)
        .map(|_| {
-            let i = rng.gen_range(0..alphabet.len());
+            let i = rng.random_range(0..alphabet.len());
            alphabet[i] as char
        })
        .collect()
@@ -150,6 +150,7 @@ impl AuthRequest {
            auth_requests::table
                .filter(auth_requests::user_uuid.eq(user_uuid))
                .filter(auth_requests::request_device_identifier.eq(device_uuid))
+                .filter(auth_requests::approved.is_null())
                .order_by(auth_requests::creation_date.desc())
                .first::<AuthRequestDb>(conn).ok().from_db()
        }}
@@ -142,7 +142,7 @@ impl Cipher {
        sync_type: CipherSyncType,
        conn: &mut DbConn,
    ) -> Value {
-        use crate::util::format_date;
+        use crate::util::{format_date, validate_and_format_date};

        let mut attachments_json: Value = Value::Null;
        if let Some(cipher_sync_data) = cipher_sync_data {
@@ -220,7 +220,7 @@ impl Cipher {
                    })
                    .map(|mut d| match d.get("lastUsedDate").and_then(|l| l.as_str()) {
                        Some(l) => {
-                            d["lastUsedDate"] = json!(crate::util::validate_and_format_date(l));
+                            d["lastUsedDate"] = json!(validate_and_format_date(l));
                            d
                        }
                        _ => {
@@ -261,6 +261,11 @@ impl Cipher {
                    type_data_json["uri"] = uris[0]["uri"].clone();
                }
            }
+
+            // Check if `passwordRevisionDate` is a valid date, else convert it
+            if let Some(pw_revision) = type_data_json["passwordRevisionDate"].as_str() {
+                type_data_json["passwordRevisionDate"] = json!(validate_and_format_date(pw_revision));
+            }
        }

        // Fix secure note issues when data is invalid
@@ -589,6 +589,7 @@ impl CollectionUser {
                .inner_join(collections::table.on(collections::uuid.eq(users_collections::collection_uuid)))
                .filter(collections::org_uuid.eq(org_uuid))
                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
+                .filter(users_organizations::org_uuid.eq(org_uuid))
                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage))
                .load::<CollectionUserDb>(conn)
                .expect("Error loading users_collections")
@@ -685,13 +686,15 @@ impl CollectionUser {
        }}
    }

-    pub async fn find_by_collection_swap_user_uuid_with_member_uuid(
+    pub async fn find_by_org_and_coll_swap_user_uuid_with_member_uuid(
+        org_uuid: &OrganizationId,
        collection_uuid: &CollectionId,
        conn: &mut DbConn,
    ) -> Vec<CollectionMembership> {
        let col_users = db_run! { conn: {
            users_collections::table
                .filter(users_collections::collection_uuid.eq(collection_uuid))
+                .filter(users_organizations::org_uuid.eq(org_uuid))
                .inner_join(users_organizations::table.on(users_organizations::user_uuid.eq(users_collections::user_uuid)))
                .select((users_organizations::uuid, users_collections::collection_uuid, users_collections::read_only, users_collections::hide_passwords, users_collections::manage))
                .load::<CollectionUserDb>(conn)
@@ -49,6 +49,8 @@ pub enum EventType {
    UserClientExportedVault = 1007,
    // UserUpdatedTempPassword = 1008, // Not supported
    // UserMigratedKeyToKeyConnector = 1009, // Not supported
+    UserRequestedDeviceApproval = 1010,
+    // UserTdeOffboardingPasswordSet = 1011, // Not supported

    // Cipher
    CipherCreated = 1100,
@@ -69,6 +71,7 @@ pub enum EventType {
    CipherSoftDeleted = 1115,
    CipherRestored = 1116,
    CipherClientToggledCardNumberVisible = 1117,
+    CipherClientToggledTOTPSeedVisible = 1118,

    // Collection
    CollectionCreated = 1300,
@@ -94,6 +97,10 @@ pub enum EventType {
    // OrganizationUserFirstSsoLogin = 1510, // Not supported
    OrganizationUserRevoked = 1511,
    OrganizationUserRestored = 1512,
+    OrganizationUserApprovedAuthRequest = 1513,
+    OrganizationUserRejectedAuthRequest = 1514,
+    OrganizationUserDeleted = 1515,
+    OrganizationUserLeft = 1516,

    // Organization
    OrganizationUpdated = 1600,
@@ -105,6 +112,7 @@ pub enum EventType {
    // OrganizationEnabledKeyConnector = 1606, // Not supported
    // OrganizationDisabledKeyConnector = 1607, // Not supported
    // OrganizationSponsorshipsSynced = 1608, // Not supported
+    // OrganizationCollectionManagementUpdated = 1609, // Not supported

    // Policy
    PolicyUpdated = 1700,
@@ -117,6 +125,13 @@ pub enum EventType {
    // ProviderOrganizationAdded = 1901, // Not supported
    // ProviderOrganizationRemoved = 1902, // Not supported
    // ProviderOrganizationVaultAccessed = 1903, // Not supported
+
+    // OrganizationDomainAdded = 2000, // Not supported
+    // OrganizationDomainRemoved = 2001, // Not supported
+    // OrganizationDomainVerified = 2002, // Not supported
+    // OrganizationDomainNotVerified = 2003, // Not supported
+
+    // SecretRetrieved = 2100, // Not supported
 }

 /// Local methods
@@ -55,6 +55,7 @@ db_object! {
 }

 // https://github.com/bitwarden/server/blob/b86a04cef9f1e1b82cf18e49fc94e017c641130c/src/Core/Enums/OrganizationUserStatusType.cs
+#[derive(PartialEq)]
 pub enum MembershipStatus {
    Revoked = -1,
    Invited = 0,
@@ -62,6 +63,19 @@ pub enum MembershipStatus {
    Confirmed = 2,
 }

+impl MembershipStatus {
+    pub fn from_i32(status: i32) -> Option<Self> {
+        match status {
+            0 => Some(Self::Invited),
+            1 => Some(Self::Accepted),
+            2 => Some(Self::Confirmed),
+            // NOTE: we don't care about revoked members where this is used
+            // if this ever changes also adapt the OrgHeaders check.
+            _ => None,
+        }
+    }
+}
+
 #[derive(Copy, Clone, PartialEq, Eq, num_derive::FromPrimitive)]
 pub enum MembershipType {
    Owner = 0,
@@ -152,6 +166,7 @@ impl PartialOrd<MembershipType> for i32 {
 /// Local methods
 impl Organization {
    pub fn new(name: String, billing_email: String, private_key: Option<String>, public_key: Option<String>) -> Self {
+        let billing_email = billing_email.to_lowercase();
        Self {
            uuid: OrganizationId(crate::util::get_uuid()),
            name,
@@ -307,8 +322,8 @@ use crate::error::MapResult;
 /// Database methods
 impl Organization {
    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
-        if !email_address::EmailAddress::is_valid(self.billing_email.trim()) {
-            err!(format!("BillingEmail {} is not a valid email address", self.billing_email.trim()))
+        if !crate::util::is_valid_email(&self.billing_email) {
+            err!(format!("BillingEmail {} is not a valid email address", self.billing_email))
        }

        for member in Membership::find_by_org(&self.uuid, conn).await.iter() {
@@ -449,7 +464,7 @@ impl Membership {
            "familySponsorshipValidUntil": null,
            "familySponsorshipToDelete": null,
            "accessSecretsManager": false,
-            "limitCollectionCreation": true,
+            "limitCollectionCreation": self.atype < MembershipType::Manager, // If less then a manager return true, to limit collection creations
            "limitCollectionCreationDeletion": true,
            "limitCollectionDeletion": true,
            "allowAdminAccessToAllCollectionItems": true,
@@ -267,8 +267,8 @@ impl User {
    }

    pub async fn save(&mut self, conn: &mut DbConn) -> EmptyResult {
-        if self.email.trim().is_empty() {
-            err!("User email can't be empty")
+        if !crate::util::is_valid_email(&self.email) {
+            err!(format!("User email {} is not a valid email address", self.email))
        }

        self.updated_at = Utc::now().naive_utc();
@@ -408,8 +408,8 @@ impl Invitation {
    }

    pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
-        if self.email.trim().is_empty() {
-            err!("Invitation email can't be empty")
+        if !crate::util::is_valid_email(&self.email) {
+            err!(format!("Invitation email {} is not a valid email address", self.email))
        }

        db_run! {conn:
@@ -1,7 +1,6 @@
-use std::str::FromStr;
-
 use chrono::NaiveDateTime;
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
+use std::{env::consts::EXE_SUFFIX, str::FromStr};

 use lettre::{
    message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
@@ -26,7 +25,7 @@ fn sendmail_transport() -> AsyncSendmailTransport<Tokio1Executor> {
    if let Some(command) = CONFIG.sendmail_command() {
        AsyncSendmailTransport::new_with_command(command)
    } else {
-        AsyncSendmailTransport::new()
+        AsyncSendmailTransport::new_with_command(format!("sendmail{EXE_SUFFIX}"))
    }
 }

@@ -595,13 +594,13 @@ async fn send_with_selected_transport(email: Message) -> EmptyResult {
            // Match some common errors and make them more user friendly
            Err(e) => {
                if e.is_client() {
-                    debug!("Sendmail client error: {:#?}", e);
+                    debug!("Sendmail client error: {:?}", e);
                    err!(format!("Sendmail client error: {e}"));
                } else if e.is_response() {
-                    debug!("Sendmail response error: {:#?}", e);
+                    debug!("Sendmail response error: {:?}", e);
                    err!(format!("Sendmail response error: {e}"));
                } else {
-                    debug!("Sendmail error: {:#?}", e);
+                    debug!("Sendmail error: {:?}", e);
                    err!(format!("Sendmail error: {e}"));
                }
            }
@@ -236,8 +236,11 @@ function checkSecurityHeaders(headers, omit) {
        "referrer-policy": ["same-origin"],
        "x-xss-protection": ["0"],
        "x-robots-tag": ["noindex", "nofollow"],
+        "cross-origin-resource-policy": ["same-origin"],
        "content-security-policy": [
-            "default-src 'self'",
+            "default-src 'none'",
+            "font-src 'self'",
+            "manifest-src 'self'",
            "base-uri 'self'",
            "form-action 'self'",
            "object-src 'self' blob:",
@@ -55,6 +55,11 @@ impl Fairing for AppHeaders {
        res.set_raw_header("Referrer-Policy", "same-origin");
        res.set_raw_header("X-Content-Type-Options", "nosniff");
        res.set_raw_header("X-Robots-Tag", "noindex, nofollow");
+
+        if !res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/")) {
+            res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin");
+        }
+
        // Obsolete in modern browsers, unsafe (XS-Leak), and largely replaced by CSP
        res.set_raw_header("X-XSS-Protection", "0");

@@ -74,7 +79,9 @@ impl Fairing for AppHeaders {
            // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
            // app.simplelogin.io, app.addy.io, api.fastmail.com, quack.duckduckgo.com
            let csp = format!(
-                "default-src 'self'; \
+                "default-src 'none'; \
+                font-src 'self'; \
+                manifest-src 'self'; \
                base-uri 'self'; \
                form-action 'self'; \
                object-src 'self' blob:; \
@@ -461,6 +468,23 @@ pub fn parse_date(date: &str) -> NaiveDateTime {
    DateTime::parse_from_rfc3339(date).unwrap().naive_utc()
 }

+/// Returns true or false if an email address is valid or not
+///
+/// Some extra checks instead of only using email_address
+/// This prevents from weird email formats still excepted but in the end invalid
+pub fn is_valid_email(email: &str) -> bool {
+    let Ok(email) = email_address::EmailAddress::from_str(email) else {
+        return false;
+    };
+    let Ok(email_url) = url::Url::parse(&format!("https://{}", email.domain())) else {
+        return false;
+    };
+    if email_url.path().ne("/") || email_url.domain().is_none() || email_url.query().is_some() {
+        return false;
+    }
+    true
+}
+
 //
 // Deployment environment methods
 //
Author	SHA1	Message	Date
Daniel	1109293992	Update Rust to 1.84.1 (#5508 ) - also update the crates - add necessary modifications for `rand` upgrade - `small_rng` is enabled by default now	2025-02-01 13:16:32 +01:00
Mathijs van Veluw	3c29f82974	Allow all manager to create collections again (#5488 ) * Allow all manager to create collections again This commit checks if the member is a manager or better, and if so allows it to createCollections. We actually check if it is less then a Manager, since the `limitCollectionCreation` should be set to false to allow it and true to prevent. This should fix an issue discussed in #5484 Signed-off-by: BlackDex <black.dex@gmail.com> * Fix some small issues Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-29 20:41:31 +01:00
Roman Ratiner	663f88e717	Fix Duo Field Names for Web Client (#5491 ) * Fix Duo Field Names for Web Client * Fix Api Validation * Rename Duo Labels In Admin	2025-01-29 12:00:14 +01:00
Stefan Melmuk	a3dccee243	add and use new event types (#5482 ) * add additional event_types * use correct event_type when leaving an org * use correct event type when deleting a user * also correctly log auth requests * add correct membership info to event log	2025-01-28 11:25:53 +01:00
Mathijs van Veluw	c0ebe0d982	Fix passwordRevisionDate format (#5477 )	2025-01-27 20:16:59 +01:00
Win‮8201‭Linux‬	1b46c80389	Make sure the icons are displayed correctly in desktop clients (#5469 )	2025-01-27 18:29:24 +01:00
Stefan Melmuk	2c549984c0	let invited members access OrgMemberHeaders (#5461 )	2025-01-27 18:27:11 +01:00
Stefan Melmuk	ecab7a50ea	hide already approved (or declined) devices (#5467 )	2025-01-27 18:21:22 +01:00
Stefan Melmuk	2903a3a13a	only validate SMTP_FROM if necessary (#5442 )	2025-01-25 05:46:43 +01:00
Mathijs van Veluw	952992c85b	Org fixes (#5438 ) * Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>	2025-01-25 01:32:09 +01:00